temporary note tracking docs

Users are tiered:

Lowest level - Bare Metal:

• lunahhprovisioner: Manual acct for bootstrapping and deploying basic VPC elements.
  • Needs to be able to:
    • Put SSH keys on proxmox nodes with Ansible
    • Deploy VMs
  • Requires following privileges:
    • DataStore:
      • AllocateSpace: Allocate space on a datastore (i.e. make disks.)
      • AllocateTemplate: Allocate / upload templates and ISO images (required to get base images.)
      • Audit: View / browse a datastore (is this really required?)
    • Pool: Allocate: Create / remove / modify a pool (not really required, but useful!)
    • Sys:
      • Audit: View node status / config, Corosync cluster config, and HA config (kind of required, definitely useful.)
      • Console: Console access to node (required.)
      • Modify: Create / modify / remove node network parameters (required.)
    • VM:
      • Allocate: Create / remove VM on a server / node.
      • Audit: View VM Config.
      • Clone: Clone / copy a VM.
      • Config:
        • CDROM: Eject / change CD-ROM.
        • Cloudinit: Modify cloud-init parameters.
        • CPU: Modify CPU settings.
        • Disk: Add / modify / remove disks.
        • HWType: Modify emulated hardware types.
        • Memory: Modify memory settings.
        • Network: Add / modify / remove network devices.
        • Options: Modify any other VM configuration.
      • Migrate: Migrate a VM to alternate server / node on cluster.
      • Monitor: Access to VM monitor (kvm.)
      • PowerMgmt: Start, stop, e.g.
      • SND.Use: Access SDN vnets and local network bridges.
• Tim
• Root

Within lunahh VPC:

• Lunahh group & users are nonadmin

Within lunareng VPC (inside lunahh VPC?):

• Basically ditto

Roles and permissions: who can do what? Default should be minimal. Lunahhprov only needs to be able to upload files.

This provisioner should be able to log on and create a user which also deploys ssh keys to every node.

Use ci to push docs to Notion.

BLERGH: MUST CREATE MANUAL USER EW

Lunahhprov requires what for VM? requires ssh and requires the following permissions

PVE Proxmox User Management allows for out-of-the-box user management for both ‘local’ (or PAM) users and ‘cluster’ (or PVE) users. It can additionally connect to open standards like AD and LDAP and OpenID.

It allows for setting roles which assign policy; this is a typical ‘cloud’ environment setup and you can find a similar setup in many cloud tenants.

Proxmox comes with an API which allows you to work with it in automation like other major cloud providers.